How Defence in Depth could have helped the Stormshield Breach.Michael Urgero 17/03/2021 Industry News
Security Fridays Week 27 – Layered security and the end of the old perimeter
A brief look into the Stormshield breach
Okay I will give you a moment to enjoy the schadenfreude of a security company having their firewall code stolen over a network breach. It is one of those ironies that tends to make people forget the seriousness of the situation, when security companies get breached and have things like source code stolen this can have a knock-on effect to a lot of other organisations that rely on their products to protect them. In this case, even up to government level.
It leads to a couple of points that are well worth talking about though, those being defence in depth and considering the risks of single vendor solutions throughout an estate. They both have a vital role in helping to prevent this kind of issue and protecting from its outfall.
The article starts with talking about a breach of a customer support portal, and then goes on to the fact that the intrusion then led to the loss of source code. They don’t go in to great detail as to how those two incidents are linked but there are two alternatives. Either the source code was held on the customer support portal, which seems highly unlikely, or the portal was used as a jump point to the rest of the network.
This is where the concept of defence in depth becomes most important and the concept of the traditional perimeter fails to meet today’s challenges. It is hard to believe that the support portal for customers needs any access to the area where source code is held. So why on earth should they even have connectivity?
If they do, it should be policed by several layers of security, another firewall (of another make but we shall come to that shortly), locked down VLANS, Multi factor authentication to access those sensitive servers. The concept that all data should be able to move freely across an organisation once you have got in past the perimeter is one of the most pervasive risks to security. Reducing the attack surface by minimising access is vastly preferable.
To the second point, breaches occur for many reasons, but the most dangerous are zero-day attacks. There can be no preparation for them, no one is aware so you suddenly find a piece of your technology fails you until it’s patched. This weakness is only magnified in homogenous environments. Say you follow the principle of defence in depth and you subscribe to the theory of a DMZ (very wise), then you decide to protect both sides of it with the same make of firewall because that’s easier to configure and maintain right?
Okay that is true, but then an incident like this or a zero day occurs. In a homogeneous environment then suddenly both security devices are compromised. They can use the same attack to walk in to your inside network. Not ideal.
In a heterogeneous environment one fails. So either your external firewall fails and they can get in to your DMZ which is low risk and designed to be accessed or your interior firewall fails which they can’t get to as it’s protected by your still functional exterior firewall, and will be patched soon enough.
This same effect goes for all sorts of things. Cloud service security layers, routers, multiple ISPs. Whenever you have two of something you should really be asking yourself are the benefits of having an easy life worth the massive reduction in security in case of an unknown weakness in one manufacturers product?
Read the article that was analysed here: https://www.zdnet.com/article/security-firm-stormshield-discloses-data-breach-theft-of-source-code/